diff --git a/.github/workflows/reusable_dockerfile_pipeline.yml b/.github/workflows/reusable_dockerfile_pipeline.yml index 5b5ef61..acab2db 100644 --- a/.github/workflows/reusable_dockerfile_pipeline.yml +++ b/.github/workflows/reusable_dockerfile_pipeline.yml @@ -172,7 +172,7 @@ jobs: severity: "CRITICAL,HIGH" docker-build: - name: docker-build (${{ matrix.registry.name }}; ${{ matrix.registry.registry-url }}/${{ matrix.registry.registry-owner }}/${{ needs.prepare-env.outputs.output_image_name }}:${{ needs.prepare-env.outputs.output_short_sha }}) + name: docker-build (${{ matrix.registry.name }}; ${{ matrix.registry.registry-url }}/${{ matrix.registry.registry-owner }}/${{ needs.prepare-env.outputs.output_image_name }}) runs-on: "ubuntu-latest" # wait until the jobs are finished. needs: ["prepare-env", "logic-check", "docker-security"] @@ -181,28 +181,40 @@ jobs: packages: write strategy: matrix: + # run-on-pr is used to skip running registries that are expected to fail + # due to github permission issues with org wide secrets. registry: - name: DockerHub user-secret: DOCKERHUB_USERNAME token-secret: DOCKERHUB_TOKEN registry-url: docker.io registry-owner: celestiaorg + run-on-pr: "false" - name: GHCR user-secret: ${{ github.repository_owner }} token-secret: GITHUB_TOKEN registry-url: ghcr.io registry-owner: ${{ needs.prepare-env.outputs.repo_owner }} + run-on-pr: "true" - name: ScaleWay user-secret: SCALEWAY_USERNAME token-secret: SCW_SECRET_KEY registry-url: rg.fr-par.scw.cloud registry-owner: celestiaorg + run-on-pr: "false" fail-fast: false steps: + - name: Check run conditions + id: run_check + # We only want to run when the registry is able to run on pr or if it is a merge event + run: echo "run=${{ matrix.registry.run-on-pr == needs.prepare-env.outputs.build_for_pr || needs.prepare-env.outputs.build_for_merge == 'true'}}" >> "$GITHUB_OUTPUT" + - name: Checkout + if: ${{ steps.run_check.outputs.run == 'true'}} uses: "actions/checkout@v4" - name: Login to ${{ matrix.registry.name }} + if: ${{ steps.run_check.outputs.run == 'true'}} uses: docker/login-action@v3 with: registry: ${{ matrix.registry.registry-url }} @@ -210,6 +222,7 @@ jobs: password: ${{ secrets[matrix.registry.token-secret] }} - name: Extract Docker Metadata + if: ${{ steps.run_check.outputs.run == 'true'}} id: meta uses: docker/metadata-action@v5 env: @@ -233,9 +246,11 @@ jobs: # yamllint enable - name: Set up QEMU + if: ${{ steps.run_check.outputs.run == 'true'}} uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx + if: ${{ steps.run_check.outputs.run == 'true'}} uses: docker/setup-buildx-action@v3 # Build and Publish images on main, master, and versioned branches. @@ -245,7 +260,7 @@ jobs: # the amd64 image since building the arm64 image takes significantly # longer. - name: "Merge on Main Trigger: Build and Push All Docker Images" - if: ${{ needs.prepare-env.outputs.build_for_merge == 'true' }} + if: ${{ needs.prepare-env.outputs.build_for_merge == 'true' && steps.run_check.outputs.run == 'true'}} uses: docker/build-push-action@v5 env: OUTPUT_SHORT_SHA: ${{ needs.prepare-env.outputs.output_short_sha }} @@ -265,7 +280,7 @@ jobs: # forks can't push, we still want to try and build the image to catch # bugs. For testing purposes we only need an amd64 image. - name: "Pull Request Trigger: Build and Push amd64 Docker Image" - if: ${{ needs.prepare-env.outputs.build_for_pr == 'true' }} + if: ${{ needs.prepare-env.outputs.build_for_pr == 'true' && steps.run_check.outputs.run == 'true'}} uses: docker/build-push-action@v5 env: OUTPUT_SHORT_SHA: ${{ needs.prepare-env.outputs.output_short_sha }}